Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20121115003132.GA6428@openwall.com>
Date: Thu, 15 Nov 2012 04:31:32 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Premchand Koneru <pkoneru@...sta.com>
Subject: Re: Request for linux-distros@...openwall.org membership

All -

On Mon, Nov 12, 2012 at 09:14:55PM +0530, Premchand Koneru wrote:
> It should be available now. Please try again with the same key.

I've just subscribed Premchand to linux-distros (and hence to distros as
well).

I feel that the question of MontaVista's list membership is _mostly_
separate from who is subscribed for MontaVista, although I do see _some_
overlap between these two questions:  If MontaVista appoints someone not
known in the community for doing relevant work before, then arguably
this does suggest that MontaVista is less likely to be making good use
of advance notification that the list provides.

A Google web search for "Premchand Koneru" finds primarily this very
thread on oss-security.  This does look like a bad sign to me.

That said, Premchand is now subscribed, and I think we may want to
revisit the topic of which distros are on the lists - a separate topic.

I think that MontaVista are not the only ones making arguably too little
use of the info, and that's not good overall.  To single out MontaVista
just because they happened to ask for a new person to be subscribed now
would be wrong.  (In fact, by asking they demonstrated that they at
least care, which is a good sign.)

I think it will never be clear where to draw the line, nor whether to
host these lists at all.  It's always a trade-off, and it's subjective.
As yet another non-perfect workaround, though, we could setup yet
another two lists with just the distros who have demonstrated making
good and timely use of the info - then let senders decide who to notify
(all or the selected few).  Would this work well?  I doubt it, but we
could try.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.